NAT hairpin in C/S mode configuration example

Network requirements

As shown in Figure 62, the internal FTP server at 192.168.1.4/24 provides services for internal and external users. The private network uses two public IP addresses 202.38.1.1 and 202.38.1.2.

Configure NAT hairpin in C/S mode to allow external and internal users to access the internal FTP server by using public IP address 202.38.1.2.

Figure 62: Network diagram

Requirements analysis

To allow external hosts to access the internal FTP server by using a public IP address, configure NAT Server on the interface connected to the external network.

To allow internal hosts to access the internal FTP server by using a public IP address, perform the following tasks:

Configuration procedure

# Specify IP addresses for the interfaces on the router. (Details not shown.)

# Configure ACL 2000, and create a rule to permit packets only from subnet 192.168.1.0/24 to be translated.

<Router> system-view
[Router] acl basic 2000
[Router-acl-ipv4-basic-2000] rule permit source 192.168.1.0 0.0.0.255
[Router-acl-ipv4-basic-2000] quit

# Configure NAT Server on interface GigabitEthernet 1/0/2 to map the IP address of the FTP server to a public address, allowing external users to access the internal FTP server.

[Router] interface gigabitethernet 1/0/2
[Router-GigabitEthernet1/0/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.4 ftp

# Enable outbound NAT with Easy IP on interface GigabitEthernet 1/0/2 so that NAT translates the source addresses of the packets from internal hosts into the IP address of interface GigabitEthernet 1/0/2.

[Router-GigabitEthernet1/0/2] nat outbound 2000

# Enable NAT hairpin on interface GigabitEthernet 1/0/1.

[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] nat hairpin enable

Verifying the configuration

# Verify that both internal and external hosts can access the internal FTP server through the public address. (Details not shown.)

# Display all NAT configuration and statistics.

[Router]display nat all
NAT outbound information:
  Totally 1 NAT outbound rules.
  Interface: GigabitEthernet1/0/2
    ACL: 2000
    Address group ID: ---
    Port-preserved: N    NO-PAT: N         Reversible: N
    Config status: Active

NAT internal server information:
  Totally 1 internal servers.
  Interface: GigabitEthernet1/0/2
    Protocol: 6(TCP)
    Global IP/port: 202.38.1.2/21
    Local IP/port : 192.168.1.4/21
    Config status : Active

NAT logging:
  Log enable          : Disabled
  Flow-begin          : Disabled
  Flow-end            : Disabled
  Flow-active         : Disabled
  Port-block-assign   : Disabled
  Port-block-withdraw : Disabled
  Alarm               : Disabled

NAT hairpinning:
  Totally 1 interfaces enabled with NAT hairpinning.
  Interface: GigabitEthernet1/0/1
    Config status: Active

NAT mapping behavior:
  Mapping mode : Address and Port-Dependent
  ACL          : ---
  Config status: Active

NAT ALG:
  DNS        : Enabled
  FTP        : Enabled
  H323       : Enabled
  ICMP-ERROR : Enabled
  ILS        : Enabled
  MGCP       : Enabled
  NBT        : Enabled
  PPTP       : Enabled
  RSH        : Enabled
  RTSP       : Enabled
  SCCP       : Enabled
  SIP        : Enabled
  SQLNET     : Enabled
  TFTP       : Enabled
  XDMCP      : Enabled

# Display NAT session information generated when Host A accesses the FTP server.

[Router] display nat session verbose
Initiator:
  Source      IP/port: 192.168.1.2/1694
  Destination IP/port: 202.38.1.2/21
  DS-Lite tunnel peer: -
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: TCP(6)
  Inbound interface: GigabitEthernet1/0/1
Responder:
  Source      IP/port: 192.168.1.4/21
  Destination IP/port: 202.38.1.1/1025
  DS-Lite tunnel peer: -
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: TCP(6)
  Inbound interface: GigabitEthernet1/0/1
State: TCP_ESTABLISHED
Application: FTP
Start time: 2012-08-15 14:53:29  TTL: 3597s
Initiator->Responder:            7 packets        308 bytes
Responder->Initiator:            5 packets        312 bytes

Total sessions found: 1